From owner-freebsd-security@FreeBSD.ORG Tue Mar 1 01:06:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8BE5E106564A for ; Tue, 1 Mar 2011 01:06:57 +0000 (UTC) (envelope-from pisymbol@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 49CC08FC08 for ; Tue, 1 Mar 2011 01:06:56 +0000 (UTC) Received: by qwj8 with SMTP id 8so3577130qwj.13 for ; Mon, 28 Feb 2011 17:06:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=rTQOpz8HXxHAlGmVL//iCL2xiPZhszWpFj4QUaMWV0A=; b=yFoeEf9r03YAPWH4LF9kERPvuefaHHWM3ca12Hax6izxfww8/YuZlEZgCsAodMIyxU imximecc/oKgB7c+aRbBPKMuGF/Yj4fBAU6dt0Jz7PUgm1Ili1DTCKhxE+4QD3/x6bFI QIGnCvS1DF0HMRfz1JLqwKGCAjOQkre5byyIk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=W2OaCjIPRsw9adHSfYVCsb47uojfcasI9yNMIKHCfXQltzNx3dyTHVE/Z3y3QTiqkT 5FGcDxQQp4AkvS79tZp5ItCwcTDHFzbmloer+MOJowpTYSW3bMReRieAQvfUbDJrKfbR 7loo25aAyEEPNIPRrESXwm+t4WCMycLrfECcI= MIME-Version: 1.0 Received: by 10.229.233.74 with SMTP id jx10mr4864682qcb.97.1298939629365; Mon, 28 Feb 2011 16:33:49 -0800 (PST) Received: by 10.229.221.131 with HTTP; Mon, 28 Feb 2011 16:33:49 -0800 (PST) Date: Mon, 28 Feb 2011 19:33:49 -0500 Message-ID: From: Alexander Sack To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2011 01:06:57 -0000 Hello: I am a bit confused! I am reading the FIPS user guide and the following document: http://www.openssl.org/docs/fips/fipsnotes.html I quote "If even the tiniest source code or build process changes are required for your intended application, you cannot use the open source based validated module directly. You must obtain your own validation. This situation is common; see "Private Label" validation, below. " Also, the openssl distribution has to match the right PGP keys. So to those who are more of Openssl/FIPS experts than I, I have some basic questions: 1) I assume if it impossible to make a FIPS capable openssl distribution straight out of the FreeBSD source tree without "Private Validation" as defined in the document above? (i.e. you can certainly build it this way but you are violating the guidelines for FIPS Compliance or do the maintainers out of src/crypto/openssl ENSURE that the distro in that tree is equivalent to the openssl distro, even for PGP key checks?) 2) Can you make a FIPS capable openssl port? i.e. use the stock distro, write some script to validate keys, create a separate FIPS port or part of hte openssl port, etc. case in point, RHEL I believe has a FIPS compliant RPM which does this in its spec file. 3) Does anyone know if common openssl consumers with FIPS mode set breaks them? :-) (i.e. the Apache/mod_ssl's of the world) My organization is investigating what it will take to make a fully FIPS compliant system (capable first, but in a compliant way). I have been assigned this most fantastic assignment. Any advice (other than run), would be appreciated! Thanks! -aps From owner-freebsd-security@FreeBSD.ORG Tue Mar 1 07:39:26 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 69A6A106566C for ; Tue, 1 Mar 2011 07:39:26 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from xps.daemonology.net (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx2.freebsd.org (Postfix) with SMTP id 225621522AB for ; Tue, 1 Mar 2011 07:39:26 +0000 (UTC) Received: (qmail 16952 invoked from network); 1 Mar 2011 07:39:35 -0000 Received: from unknown (HELO xps.daemonology.net) (127.0.0.1) by localhost with SMTP; 1 Mar 2011 07:39:35 -0000 Message-ID: <4D6CA2B6.3020000@freebsd.org> Date: Mon, 28 Feb 2011 23:39:34 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.16) Gecko/20101220 Thunderbird/3.0.11 MIME-Version: 1.0 To: freebsd security , FreeBSD Stable X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: FreeBSD supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Mar 2011 07:39:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 7.1. The new list of supported branches is below and at < http://security.freebsd.org/ >. Users of FreeBSD 7.1 are advised to upgrade promptly to a newer release (most likely the recently announced FreeBSD 7.4) either by downloading an updated source tree and building updates manually, or (for i386 and amd64 systems) using the FreeBSD Update utility as described in the relevant release announcement. The current supported branches and expected EoL dates are: +---------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+-----------------+-----------------| |RELENG_7 |n/a |n/a |n/a |February 28, 2013| |-----------+------------+--------+-----------------+-----------------| |RELENG_7_3 |7.3-RELEASE |Extended|March 23, 2010 |March 31, 2012 | |-----------+------------+--------+-----------------+-----------------| |RELENG_7_4 |7.4-RELEASE |Extended|February 24, 2011|February 28, 2013| |-----------+------------+--------+-----------------+-----------------| |RELENG_8 |n/a |n/a |n/a |last release + 2y| |-----------+------------+--------+-----------------+-----------------| |RELENG_8_1 |8.1-RELEASE |Extended|July 23, 2010 |July 31, 2012 | |-----------+------------+--------+-----------------+-----------------| |RELENG_8_2 |8.2-RELEASE |Normal |February 24, 2011|February 29, 2012| +---------------------------------------------------------------------+ - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEARECAAYFAk1sorYACgkQFdaIBMps37IgAgCePHsPcwZ/3mvoBzB3yvvo5txo bDcAn0ze3I/h6fz90GVCEYm0cqBMFeOL =DopZ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Mar 3 17:23:14 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B25E106564A for ; Thu, 3 Mar 2011 17:23:14 +0000 (UTC) (envelope-from pisymbol@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id C90E08FC14 for ; Thu, 3 Mar 2011 17:23:13 +0000 (UTC) Received: by qyk35 with SMTP id 35so89056qyk.13 for ; Thu, 03 Mar 2011 09:23:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type:content-transfer-encoding; bh=55w/ND4BydCEK9DtTVQMrCtG4l7g5m6Bw+TV20ASprc=; b=rFDttMKIIH9N6WTjRn/63/293dvUSEC4+WU3pe+s22/MY94bHDcbLIPAUYNuvffQ+A r08P9XA8ShRjjzWA1PFE5azAFKIh22f94iafbiy8480T9lRE8B6Z/NJ/CSBhNvzAXqU+ 1J5Rj8DQHFsGVxByAVqyGw6sQHAYg/3DBAKBQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=tdQwayOSinv4rQBfU1Usa6ZlaDu+zU281CBYO0vcwvBk/+pGH3PNYFn1P1NZrztMhO wi9IuSOFsvozT5oZWH9v6/C7tm3JoGEWMXpY4SxBO1gL0cX3Dm5bmuOxvtEa5Jhwh8v0 A5v8yPP7XjerLpS7+TwmXC3kBGnu24qSWQoNU= MIME-Version: 1.0 Received: by 10.229.186.212 with SMTP id ct20mr1216552qcb.92.1299172992759; Thu, 03 Mar 2011 09:23:12 -0800 (PST) Received: by 10.229.221.131 with HTTP; Thu, 3 Mar 2011 09:23:12 -0800 (PST) In-Reply-To: References: Date: Thu, 3 Mar 2011 12:23:12 -0500 Message-ID: From: Alexander Sack To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2011 17:23:14 -0000 On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack wrote: > Hello: > > I am a bit confused! =A0I am reading the FIPS user guide and the > following document: > > http://www.openssl.org/docs/fips/fipsnotes.html > > I quote > > "If even the tiniest source code or build process changes are required > for your intended application, you cannot use the open source based > validated module directly. You must obtain your own validation. This > situation is common; see "Private Label" validation, below. " > > Also, the openssl distribution has to match the right PGP keys. > > So to those who are more of Openssl/FIPS experts than I, I have some > basic questions: > > 1) =A0I assume if it impossible to make a FIPS capable openssl > distribution straight out of the FreeBSD source tree without "Private > Validation" as defined in the document above? (i.e. you can certainly > build it this way but you are violating the guidelines for FIPS > Compliance or do the maintainers out of src/crypto/openssl ENSURE that > the distro in that tree is equivalent to the openssl distro, even for > PGP key checks?) > > 2) =A0Can you make a FIPS capable openssl port? > > i.e. use the stock distro, write some script to validate keys, create > a separate FIPS port or part of hte openssl port, etc. case in point, > RHEL I believe has a FIPS compliant RPM which does this in its spec > file. I guess to put things more simply: Is the distribution integrated within the FreeBSD source tree been validated against its PGP keys so it can be built FIPS capable? I really appreciate an official answer from one of the security officers. Thanks! -aps